New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 18 users
Status: Verified
Owner:
Last visit > 30 days ago
Closed: Feb 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Browser crash with FTP video source
Reported by aohe...@gmail.com, Feb 7 2012 Back to list
Chrome Version       : 17.0.963.46 (Official Build 119351) beta
OS Version: Linux (Debian 6.0.4, x86_64)
URLs (if applicable) :
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5:
  Firefox 4.x: OK
     IE 7/8/9:

What steps will reproduce the problem?
1. $ echo "<video src=ftp://1>" > ftp.html
2. ...
3. $ google-chrome ftp.html

What is the expected result?
Chrome doesn't crash.

What happens instead?
Chrome IO thread crashes taking the rest of the browser with it.

Please provide any additional information below. Attach a screenshot if
possible.

This looks like a plain null deref, so not reporting as a security bug.

 
ftp.html
20 bytes View Download
Comment 1 by aohe...@gmail.com, Feb 7 2012
Trace from 19.0.1031.0 (Developer Build 120523) / ASan:

==14494== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x7fc777675f7c sp 0x7fc760c0a9c0 bp 0x7fc760c0b0d0 T10)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x7fc777675f7c in net::URLRequestFtpJob::StartTransaction() ???:0
    #1 0x7fc77767771e in net::URLRequestFtpJob::Start() ???:0
    #2 0x7fc7774b88f2 in net::URLRequest::StartJob(net::URLRequestJob*) ???:0
    #3 0x7fc7774b818d in net::URLRequest::Start() ???:0
    #4 0x7fc77b006ada in ResourceQueue::AddRequest(net::URLRequest*, ResourceDispatcherHostRequestInfo const&) ???:0
    #5 0x7fc77afe7534 in ResourceDispatcherHost::BeginRequestInternal(net::URLRequest*) ???:0
    #6 0x7fc77afe5ae8 in ResourceDispatcherHost::BeginRequest(int, ResourceHostMsg_Request const&, IPC::Message*, int) ???:0
    #7 0x7fc77afe250a in ResourceDispatcherHost::OnMessageReceived(IPC::Message const&, ResourceMessageFilter*, bool*) ???:0
    #8 0x7fc77b0053f9 in ResourceMessageFilter::OnMessageReceived(IPC::Message const&, bool*) ???:0
    #9 0x7fc77ae1d69d in content::BrowserMessageFilter::DispatchMessage(IPC::Message const&) ???:0
    #10 0x7fc77ae1d3b7 in content::BrowserMessageFilter::OnMessageReceived(IPC::Message const&) ???:0
    #11 0x7fc7781e22a4 in IPC::ChannelProxy::Context::OnMessageReceived(IPC::Message const&) ???:0
    #12 0x7fc7781dc92b in IPC::Channel::ChannelImpl::ProcessIncomingMessages() ???:0
    #13 0x7fc7781e0325 in IPC::Channel::ChannelImpl::OnFileCanReadWithoutBlocking(int) ???:0
    #14 0x7fc7769f26de in base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) ???:0
    #15 0x7fc776b24d17 in event_base_loop ???:0
    #16 0x7fc7769f2d79 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ???:0
    #17 0x7fc776a57bae in MessageLoop::RunInternal() ???:0
    #18 0x7fc776a55d9f in MessageLoop::Run() ???:0
    #19 0x7fc776ad04fc in base::Thread::ThreadMain() ???:0
    #20 0x7fc776ac756c in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:0
    #21 0x7fc77c8934e7 in __asan::AsanThread::ThreadStart() ??:0
Stats: 52M malloced (71M for red zones) by 220636 calls
Stats: 1M realloced by 4309 calls
Stats: 38M freed by 144223 calls
Stats: 0M really freed by 0 calls
Stats: 160M (40978 full pages) mmaped in 40 calls
  mmaps   by size class: 8:196596; 9:16382; 10:24570; 11:4094; 12:2048; 13:1024; 14:512; 15:128; 16:192; 17:32; 18:16; 19:8; 21:2; 22:4;
  mallocs by size class: 8:185774; 9:11220; 10:18987; 11:2480; 12:1040; 13:535; 14:297; 15:99; 16:170; 17:18; 18:10; 19:1; 21:1; 22:4;
  frees   by size class: 8:116590; 9:6332; 10:18248; 11:1613; 12:679; 13:262; 14:249; 15:77; 16:154; 17:7; 18:8; 19:1; 21:1; 22:2;
  rfrees  by size class:
Stats: malloc large: 34 small slow: 871

Cc: imasaki@chromium.org alek...@chromium.org
Labels: Feature-Media-Audio
Status: Untriaged
Thank you for filing this issue. Please allow us some time to take a look at the issue. 
Labels: -Feature-Media-Audio Feature-Media Stability-Crash
Repro on Win 7. Crash ID: 8600170923e4aab6 
Doesn't happen with <image src="ftp://1" /> 
Owner: fischman@chromium.org
Status: Started
Project Member Comment 5 by bugdroid1@chromium.org, Feb 10 2012
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=121378

------------------------------------------------------------------------
r121378 | fischman@chromium.org | Thu Feb 09 17:56:25 PST 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/profiles/profile_impl_io_data.cc?r1=121378&r2=121377&pathrev=121378

Give the media context an ftp job factory; prevent a browser crash.

BUG= 112983 
TEST=none


Review URL: http://codereview.chromium.org/9372002
------------------------------------------------------------------------
Comment 6 by fischman@google.com, Feb 10 2012
Status: Fixed
Status: Verified
Win7, gc: 19.0.1044.0 (Official Build 122251) canary - unable to reproduce 
crash doesn't happen. Verified. 

and I was able to reproduce on: Ubuntu, gc: 18.0.1025.33 (Official Build 122015) beta 
my gc crashed. 

Status: Fixed
fischman@google.com: 
can you specify on which platform and which chrome build the fixes were applied to? 
thank you, 

alekyoo: fix applies to all platforms.  m18 was branched before the fix landed, so I would expect current m19 to have the fix and m18 and earlier to not have it.
Status: Verified
Thank you, tried with 19.0.1041.0 dev, unable to reproduce. 
Verified. 

Cc: enal@chromium.org scherkus@chromium.org acolwell@chromium.org vivianz@chromium.org anan...@chromium.org vrk@chromium.org crogers@google.com
 Issue 114662  has been merged into this issue.
Cc: wtc@chromium.org eroman@chromium.org
 Issue 106742  has been merged into this issue.
 Issue 117163  has been merged into this issue.
Comment 15 by kenrb@chromium.org, Mar 26 2012
Cc: feature-media-bugs@chromium.org xhw...@chromium.org fischman@chromium.org
 Issue 119995  has been merged into this issue.
Labels: -Type-Bug Type-Security SecSeverity-Low Mstone-18 Merge-Approved
 Issue 123881  has been merged into this issue.
Labels: -Mstone-18 -Merge-Approved Mstone-19
I don't think we need this for M18 so marking done for M19.
 Issue 125459  has been merged into this issue.
Cc: phajdan.jr@chromium.org
 Issue 126618  has been merged into this issue.
Labels: CVE-2011-3083
Cc: e...@chromium.org cbentzel@chromium.org willchan@chromium.org
 Issue 127924  has been merged into this issue.
(And it does appear to be fixed on TOT, so we're good.)
Project Member Comment 25 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 26 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Feature-Media -SecSeverity-Low -Mstone-19 Security-Severity-Low Cr-Internals-Media M-19 Type-Bug-Security
Project Member Comment 27 by bugdroid1@chromium.org, Mar 11 2013
Labels: -Area-Undefined
Project Member Comment 28 by bugdroid1@chromium.org, Mar 14 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 29 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Low Security_Severity-Low
Project Member Comment 30 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 31 by sheriffbot@chromium.org, Oct 1 2016
Labels: Restrict-View-SecurityNotify
Project Member Comment 32 by sheriffbot@chromium.org, Oct 2 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment